From owner-freebsd-hackers Thu Jul 3 07:08:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA11291 for hackers-outgoing; Thu, 3 Jul 1997 07:08:49 -0700 (PDT) Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA11284 for ; Thu, 3 Jul 1997 07:08:41 -0700 (PDT) Received: (from karpen@localhost) by ocean.campus.luth.se (8.8.5/8.8.5) id QAA03863; Thu, 3 Jul 1997 16:09:41 +0200 (CEST) From: Mikael Karpberg Message-Id: <199707031409.QAA03863@ocean.campus.luth.se> Subject: Re: Crypto (MD5,DES) filesystem In-Reply-To: <199707031212.OAA18858@ws6423.gud.siemens.at> from "marino.ladavac@siemens.at" at "Jul 3, 97 02:12:20 pm" To: lada@ws6303.gud.siemens.at Date: Thu, 3 Jul 1997 16:09:41 +0200 (CEST) Cc: freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL31H (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to marino.ladavac@siemens.at: > > Hi! > > > > I'm looking for an implementation of crypto filesystem for FreeBSD. > > Perhaps it doesn't exist at all (yet). > > Not that I know of. Crypto filesystems that are not worse than useless > are not easy. > > > > I'm ignorant in filesystems intrinsics, so don't laugh, but here's my idea > > how it could be done: [...] > > mount_crypto -e md5 /home/user/plaintext/locked /home/user/unlocked > > > > And then everyone who has read access to the mounted files gets to see > them as plaintext. Anyone who happens to be root gets all of the contents > for free. > > This is worse than useless because it conveys a false feeling of security > unless you consider the implications (then it becomes just plain useless:) What's so useless about it? Root can go in and read to his hearts content from /dev/mem, if needed. You can't really stop root from reading anything, as long as it is not encrypted all the time while it's passing that computer. And a crypted filesystem is impossible, then. That is, unless you do something like NFS (where you can also mount it locally) where the client is responsible for (de/en)crypting all the data. Then you could be safe, if the root at the other machine had no power on your client machine, but just the server. If you can't trust the superuser on a machine, then don't use that machine for things that you care a lot about. It should be possible to make a filesystem visible only to the person that mounted it, no? I know basically nothing about the filesystem code, but I can't imagine it would be very difficult. Just store the user id in the "mount struct" (or whatever). /Mikael